Modular veri cation of Argos Programs - Semantic Scholar

Modular veri cation of Argos Programs Agathe Merceron and G. Michele Pinna 1

1

2

Basser Department of Computer Science, University of Sydney Madsen Building F09, NSW 2006, Australia [email protected]

2

Dipartimento di Matematica, Universita di Siena Via del Capitano 15, I-53100 Siena, Italy [email protected]

Abstract. Synchronous languages have been proposed to specify reactive Real-Time systems. Since such systems are used in safety critical areas, their formal veri cation is crucial. For machine and human eciency, modular veri cation is advisable. For the synchronous language Argos, a Statechart variant, modular veri cation means having a method compatible with parallel composition and re nement. We present a translation of Argos programs into Boolean Automata. This translation enlightens the relation between re nement and parallel composition. We deduce modular veri cation results for properties expressed as 8CTL formulas.

1 Introduction Synchronous languages have been proposed to specify reactive Real-Time systems [2]. A reactive system interacts constantly with its environment. In the synchronous approach, the environment produces input signals and the system reacts with output signals quickly enough so that inputs and outputs appear to be synchronous, which is known as synchrony hypothesis [2]. Such a reaction constitutes the basic time unit called instant. Signals are broadcasted. Because reactive systems are used in areas where safety is a critical issue, their formal veri cation is crucial [2, 1]. Automatic veri cation methods have been put forward to formally verify systems where control is prevalent, which is quite often the case for, at least, a core part of a reactive system. A well-known automatic veri cation method is model checking [4]. Modular veri cation is advantageous because it allows to consider simpler properties on smaller systems. The modules and the properties should be chosen in such a way that what has been proved for a module can be inherited by the whole system. This paper presents results on modular veri cation considering model checking of Argos programs and the logic 8CTL. The language Argos is a synchronous variant of Statecharts without inter-level transitions [6, 8]. In Statecharts the two main operators to compose modules are parallel composition and re nement [6]. Our work relies on a translation scheme common to synchronous languages, the Boolean Automata [11, 7], BA for short. We rst show how to cast Argos programs into BA. This casting clari es the relation existing between re nement and parallel composition, which is not obvious in Statecharts.

This insight suggests the results that can be achieved with respect to modular veri cation versus re nement. Modular veri cation versus parallel composition has already been studied [5] and we show that similar results hold for Argos programs: if a property holds for a component, it holds also for the whole program. An Argos program Q can re ne some state h of another Argos program P giving the resulting program R. Roughly we obtain: If a property holds for P , it holds for R, whereas if holds for Q, then holds as long as control is in h. In the next section we present Argos, Boolean Automata, the translation of Argos programs into BA and list some properties of the BA so obtained. The parallel composition of BA turns out to be the key operation behind parallel composition and re nement. Section 3 introduces 8CTL and modular veri cation results. By lack of space, full proofs are omitted. Concluding remarks, related works and outlook are given in section 4.

2 Argos and Boolean Automata c.-a/d

Diagrams that build Argos programs may be seen @@ ? ? as Mealy machines where a transition from a state qi to q0 a/b q1 state a qj is made of a boolean expression followed by output signals. Consider the Argos diagram of Figure 1. The initial state is the one drawn in bold, q0. The Fig. 1. A simple Arautomaton stays in state q0 as long as the input signal gos diagram. a is absent. If a is present, the automaton goes to state q1 emitting b. The automaton stays in state q1 as long as c is absent or a present. When c is present and a absent, which is coded by c.-a, the automaton goes back to q0 emitting d. Let S be an alphabet, a literal is an element of S or its negation and we denote by M(S ) the set of boolean conjunctions of literals of S . De nition 1 An Argos diagram is a tuple A = (Q; q ; T; I n; Out) where Q is a nite set of states and q is the initial state; I n is a set of input signals and Out is a set of output signals; O = I n [Out is called the set of observable signals; T Q M(I n) 2Out Q is the set of transitions. A transition t = (qi ; M; O; qj ) has three parts: the source state qi , the target state qj and the label (M; O). M is the condition part of the label and O is the output part. A computation of A is a sequence of states and sets of signals: q E q : : : qn or q E q : : : such that for any 0 i < n or i 0 the set Ei either does not enable any transition t = (qi ; M; O; q) and one has qi = qi or it enables the transition t = (qi ; M; O; qi ), where enable means: O Ei , Ei n O In and M evaluates to true when any non negated literal l is set to true i l 2 Ei , and conversely for negated literals. Argos programs are assumed to be deterministic (which is checked by the compiler): given a set of input signals and a state of the diagram, at most one transition is enabled, so the next state is uniquely 0

0

0

0

1

1

1

1

+1

+1

+1

+1

+1

+1

determined. q fa; bgq fagq fc; dgq : : : is a computation of the Argos diagram in Figure 1. The parallel composition of two programs is represented putting them side by side. Figure 2 composes two diagrams in parallel. A state of the Argos program now consists of two diagram states. The initial state is fa0, b0g. If b is present, control goes to state fa1, b0g emitting f and e. If g is present, it goes to fa0, b1g emitting c and if both are present it goes to the nal state fa1, b1g emitting ff; e; cg. 0

1

1

a0

0

b/f,e

-

b0

a1

-

g/c

b1

Fig. 2. The parallel composition of two Argos diagram. Because of broadcasting and synchrony hypothesis output signals produced in some part of the program are instantaneously available to all the other parts that are listening to them.

De nition 2 The parallel composition of two Argos programs A and A is the tuple A = (Q Q ; (q ; q ); T; I n [ I n n (Out [ Out ); Out [ Out ) where t 2 T can have one of the three following forms for t = (q ; M ; O ; q0 ) 2 T and t = (q ; M ; O ; q0 ) 2 T : t = ((q ; q ); M ; O ; (q0 ; q )) t = ((q ; q ); M ; O ; (q ; q0 )) t = ((q ; q ); M ^ M ; O [ O ; (q0 ; q0 )) A computation of A is as before. Because Argos programs are deterministic, it is always uniquely determined which transition has to be executed. For any i 0, if Ei enables a t transition then this is taken. If Ei enables a t 1

1

2

01

02

1

2

1

2

1

2

1

2

12

2

2

2

2

1

1

1

1

2

2

2

1

2

1

1

1

1

1

1

2

2

2

1

2

1

2

12

+1

2

2

2

1

1

2

1

+1

1

transition but not a t transition, and similarly for a t transition, then these are taken. Summing up: both components go to a next state if possible. Re nement allows to re ne states of Argos diagrams. Consider the program as given in Figure 1 with its initial state q0 re ned by the program Figure 2. The initial state of the re ning program is entered as soon as the re ned state is entered. Similarly, the re ning program is preempted as soon as the re ned state is left. Consequently, the initial state of this program is fq0, a0, b0g. If g is present, c is emitted and the program goes to state fq0, a0, b1g. Note that d is not emitted since q1 does not belong to the actual state of the program. If a is present, then b is instantaneously emitted, and f and e as well, since a0 belongs to the actual state of the program. Then, q0 is left. The program Figure 2 is preempted and the state of the whole program is fq1g only. To make the de nition more intuitive, we present it when one state is re ned. The general de nition re nes all the states at once, possibly with a nil Argos diagram if the node is not re ned. 12

2

De nition 3 The re nement of an Argos diagram A by the Argos program A at state q 2 Q is the tuple A = ((Q n fqg) [ (fqg Q ); qin ; T; I n [ I n n (Out [ Out ); Out [ Out ) with qin = q if q 6= q , or qin = (q ; q ) if q = q . and where t 2 T can have one of the following forms for t = (q ; M ; O ; q0 ) 2 T and t = (q ; M ; O ; q0 ) 2 T : t = t if q 6= q and q 6= q , t = ((q ; q ); M ; O ; (q ; q0 )) or t ? = ((q ; q ); M ^ M ; O [ O ; q0 ) for q=q t = (q ; M ; O ; (q0 ; qo )) for q = q0 1

2

1

1

1

2

1

2

1

01

01

01

02

01

1

1

2

1

2

2

1

2

2

2

1

1

1

1

2

2

1

1

1

2

2

2

2

12

1

1

2

2

1

2

1

2

1

1

12+

1

1

1

2

1

1

In a similar way as for parallel composition, a computation of A is a sequence such that for any i 0 the set Ei enables a t ? transition, or enables a t transition but not a t ? or t transition, or enables a t transition but not a t ? transition. +1

12

12+

12

1

2

12

2.1 Boolean Automata

A BA reacts to some input signals taken from a set I n, producing some output signals taken from a set Out. A reaction may depend on previous reactions. This memory is encoded by a nite set of registers R. By B (X ) we denote the set of boolean formulas over X . De nition 4 A Boolean Automaton P is a tuple (R; I n; Out; P ! ; P ) where R, the set of registers, I n, the set of input signals, and Out, the set of output signals, are disjoint and nite. O = I n [ Out are the observable signals. P !: Out ?! B ( [ R [ O) is the reaction function, P : R ?! B ( [ R [ O) is the next state function, and fg is considered as the initial state; 62 R [ O. !

!

The reaction function P is presented by equations using the arrow (, e.g. o ( . It is evaluated at each instant and its value depends on signals as well as on registers. It de nes the instantaneous reaction of the synchronous program, i.e. which output signals are present or absent in a reaction. The output signal o is present when evaluates to true in the equation o ( . The synchronous compiler de nes the sequence for evaluating the assignments o ( . The next state function P ! is presented by equations using the arrow . Its value depends on signals as well as on registers. It de nes the value of the registers for the next instant, i.e. the state for the next instant. Again the register r is active in the next instant if evaluates to true in r . This evaluation terminates an instant. The assignments r may be executed in parallel. Consider Figure 3 which gives the BA of the Argos program Figure 1. The boolean equation for b translates the fact that b is emitted if the automaton is in state q0 and a is present while the one for d represents the fact that d is emitted if the automaton is in state q1 and c present and a absent. The automaton enters !

state q0 initially, hence or if it was in q1 and c is present and a absent, hence (c ^ :a) ^ q1. It remains in state q0 as long as a is absent, hence :a ^ q0. The boolean equation for q1 obeys the same scheme.

R = fq0; q1g; I n = fa; cg; Out = fb; dg P : b ( a ^ q0 P ! : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) d ( (c ^ :a) ^ q 1 q 1 (a ^ q 0) _ (:(c ^ :a) ^ q 1) 1

1

! 1

1

1

Fig. 3. Boolean Automaton of the Argos Automaton Figure 1. The parallel composition is the most relevant operation on BA. We compose two dierent automata and therefore their register sets are disjoint. Because of broadcast communication, output signals produced by one automaton are instantaneously available as inputs for another automaton which is composed in parallel. The two automata are then able to evolve to a next state. The reaction of the parallel composition is the union of the two reactions, and the next state is the union of the two next states. De nition 5 Let P and P be BA with R \ R = ;. P is the parallel composition of P and P , denoted by P = P k P , i: 1. R = R [ R , O = O [ O , Out = Out [ Out , I n = (I n [ I n ) n (Out [ Out ) 2. P != P !_ P ! 3. P = P _ P where _ is !taken component-wise and Pi (x) =false if x 62domain(Pi ), and similarly for Pi , i = 1; 2. 1

1

1

1

1

2

1

!

2

2

1

2

2

2

1

2

1

2

2

! 1

! 2

1

2

!

!

For our purposes, the computations of a BA are better presented by a {},{a},{a,c} labeled transition system. With abuse q0 q1 of notation, given a valuation of the registers (i.e. those in R [ fg that {},{c} {c,d} evaluate to true) and E a valuation of the signals (again those in O that are Fig. 4. The transition system of P . present), we denote by P (; E ) the set of output signals whose boolean formula evaluates to true and, similarly, we denote by P ! (; E ) the set of registers whose formula evaluates to true. De nition 6 The tuple T = (S; T; fg; R) is the labeled transition system of the synchronous automaton P i S 2R[fg, T 2O and R S S are the smallest sets such that (a) fg 2 S , and (b) if 2 S , I I n, E = I [ P (; E ) E 0 and 0 = P ! (; E ) then 0 2 S , E 2 T and (; !0 ) 2 R. We write ?! instead of (; 0 ) 2 R, E = I [ P (; E ) and 0 = P (; E ). α

{},{a}.{c},{a,c}

{a,b},{a,c,b}

1

!

!

!

The transition system of P is sketched Figure 4. Considering only deterministic Argos programs, the BA we obtain are free of causality problems [2, 11] and the reachability relation R of the associated labeled transition system is total. We turn now to the de nition of homomorphism between transition systems. De nition 7 An homomorphism from the labeled transition system M = (S; T; s ; R) to the labeled transition system M = (S ; T ; s ; R ) is a pair of relations (H ; H ) with H S S , H T T such that whenever (; ) 2 H , if E E1 ?! 0 then for some 0 and E we have: ?! 0 , (0 ; 0 ) 2 H and (E; E ) 2 H . Having de ned the parallel composition of two BA, it comes natural to ask how the behaviour of the compound BA is related to the behaviors of its components. Such a result requires Out \ Out = ;. 1

1

0

1

2

1

1

2

1

1

1

1

1

1

1

1 0

1

1

1

1

1

2

1

2

Theorem 8 Let P = P k P with Out \ Out = ;. Then there is an homomorphism from (S; T; fg; R) to (Si ; Ti ; fg; Ri ), i = 1; 2. 1

2

1

2

\O 0 \ R . E 0 Proof. Showing by induction that if ?! then \ Ri E?! i i

2.2 From Argos to Boolean Automata We begin with the translation of Argos diagrams into BA. Registers correspond

exactly to states of the diagram. Let h be any state or register. Then its boolean equation has the following form:

h

h _ (:h ^ h)

where h is the boolean condition to enter the state h and h is the boolean condition to leave the state h. They are obtained as follows. W 1. If h is the initial state then h = _ (: h ^ ( r r ^ M )) otherwise h = W : h ^ ( r r ^ M ) for any transition (r; M; O; h). If h does not have any predecessor state, h is only . As will be shown below, h is used for re nement. W In a diagram where h is not re ned, h is set to false. 2. h = r M for any transition (h; M; O; r). If h does not have any successor state, h is simply false. Similarly boolean equations for signals have the following form:

o(

_

h

(h ^ M )

for any transition (h; M; O; r) with o 2 O. It follows that two consecutive states h and h of an Argos diagram, consecutive in the sense that (h ; M; O; h ) is a transition, exhibit the following relation between their boolean equations: M occurs in h1 and in h2 . The correctness of this translation is given in the following proposition. 1

1

2

2

Proposition 9 Let A be an Argos diagram and P its associated BA. Then E1 E0 fq g : : : is a sequence of fq g ?! q E q : : : is a computation of A i fg ?! the transition system of P . Proof. By induction taking E = ;. Boolean automata obtained from Argos programs are called Argos BA. Obviously, the BA for the parallel composition of two Argos programs is obtained taking the parallel composition of the two BA. As an Argos diagram is re ned at some state q by another Argos program with dierent states, an Argos BA P is re ned at register h by some (Argos) BA P giving the BA P . The register sets of P and P are assumed to be disjoint. P becomes active when state h is entered. Thus, of P has to be substituted by h in the resulting BA P . As soon as state h is exited, P has to be exited as well. This also means that no new state of P can be entered if h has to be exited. Hence, for any register h of P , h2 as well as h2 have to be substituted by h2 _ h , h2 _ h respectively, in the resulting BA P . The re nement of a state on an Argos BA with another Argos BA accounts to put 0

1

1

0

1

0

1

2

1

2

2

2

2

2

2

2

them in parallel restricting the situations in which the second BA is active.

De nition 10 Let P and P be Argos BA with R \ R = ; and h 2 R . P is the re nement of P by P at h, denoted by P = P h P , i conditions 1 and 2 of!De nition 5 holds and condition 3 is replaced by the following one: 30 . P = P ! _ P !R where P !R is obtained from P ! substituting by h , h2 by h2 _ h and h2 by h2 _ h in the boolean equation of any register h of R . 1

1

1

2

1

2

2

1

2

2

1

2

2

2

2

Figure 5 shows the BA when q0 Figure 1 is re ned by the program Figure 2. By structural induction Proposition 9 is generalized to Argos programs.

P

!

: b(

d( f( e( c(

R = fq0; q1; a0; a1; b0; b1g; I n = fa; gg; Out = fb; c; d; f g a ^ q0 P ! : q0 _ ((c ^ :a) ^ q1) _ (:a ^ q0) (c ^ :a) ^ q1 q 1 (a ^ q 0) _ (:(c ^ :a) ^ q 1) b ^ a0 a0 _ ((c ^ :a) ^ q 1) _ (:(b _ a) ^ a0) b ^ a0 a1 (:a ^ b ^ a0) _ (:a ^ a1) g ^ b0 b0 _ ((c ^ :a) ^ q 1) _ (:(g _ a) ^ b0) b1 (:a ^ g ^ b0) _ (:a ^ b1)

Fig. 5. Boolean Automaton of the Argos Automaton Figure 1. Since re nement is not symmetric, the result of Theorem 8 holds in a weaker form. P can simulate P but P can simulate P only when state h is entered and only as long as state h holds. 1

2

Theorem 11 Let P = P h P with Out \ Out = ;. Then there is an homomorphism from (S; T; fg; R) to (S ; T ; fg; R ). E1 E0 ?! Theorem 12 Let P = P h P , with Out \ Out = ;. Let fg ?! E2 : : : be a sequence of the transition system of P . Suppose this sequence ?! E +1 i : : : i n with h 62 i and h 2 i j i E?! contains a sub-sequence i ?! E0 0 0 E1 0 0 E2 0 0 ?! ?! : : : of the for 1 j n; i 0. Then exists a sequence fg ?! transition system of P such that j0 = i j \R , 1 j n, and Ej0 = Ei j \O for 0 j n. The translation scheme shows W a clear connection between between parallel composition and re nement: plays a similar key role in both de nitions. 1

2

1

1

1

2

1

2

1

1

1

2

3

2

i

i

+2

+1

+

+

2

1

2

+

3

2

+

2

3 Modular Veri cation

The logic 8CTL is a subset of CTL [5, 4]. It is constructed with the quanti er 8 only, and the usual four path operators: X (next), U (until), F (future) and G (generally). Negations are allowed at the level of atomic propositions only. 8CTL formulas are interpreted on structures K = (M; R; L; min; P ) . M is a set of states, R M M is the reachability relation, min is the initial state, P is a set of atomic propositions, L is a labelling function which associates to any state the set of atomic propositions true at that state. A path = m ; m ; : : : in K is an in nite sequence of states of M such that 8i 0: (mi ; mi ) 2 R. We refer to [5, 4] for the full de nitions. The structure of a boolean automaton is almost its labeled transition system, except that labeled transitions become part of the labels attached to states. De nition 13 Let P be a BA, (S; T; fg; R) be its labeled transition system. Its structure is K = (S; R; L; fg; R [ O) where L: S ?! R [ O, the labelling E . function, is de ned by L() = [ E where E 2 T is such that 0 ?! We say that a BA P satis es a state formula , P j= , i fg j= . The homomorphism of Theorem 11 induces a close relation between the paths in the structure of P and the paths in the structure of P . Lemma 14 Let P = P h P with Out \ Out = ;. Let K and K be the structures of P and P . Let 2 S and 0 2 S such that (; 0 ) 2 H . Then for every path = : : : with = in K , there exists a path 0 = 0 0 : : : with 0 = 0 in K such that for every i 0, (i ; i 0 ) 2 H and, by the choice of H , L(i ) \ (R [ O ) = L (i 0 ): We make a slight abuse of notations and for such paths, we write (; 0 ) 2 H . The disjointness of the output signal sets is essential. Suppose the program of Figure 2 is modi ed to emit d when g is present. Again suppose state q0 of Figure 1 is re ned by the program in Figure 2. One can obtain the following path: fg ?! fq0; a0; b0g ?! fq0; a0; b1; g; c; dg : : :. Its projection on (R [O ) is not legal for Figure 1. A structural induction on the formulas and gives: 0

1

+1

1

1

1

0

0

2

2

1

1

1

1

1

0

0

1

1

2

1

1

1

1

1

1

1

1

Lemma 15 Let P = P h P with Out \ Out = ;. Let K and K be the structures of P and P . Let be a state formula and be a path formula with atomic propositions in R [ O . Let and 0 be paths with (; 0 ) 2 H . If 0 j= then j= . Let (m; m0 ) 2 M M 0 with (m; m0 ) 2 H . If m0 j= then m j= . 1

2

1

2

1

1

1

1

1

1

By Theorem 8, similar results can be obtained for parallel composition. Using these Lemmata, one can easily deduce: Theorem 16 Let P and P be two BA with Out \Out = ; and be a 8CTL state formula. Let P = P h P , with atomic propositions in R [ O : if P j= then P j= . Let P = P k P , with atomic propositions in Ri [ Oi : if Pi j= then P j= , i = 1 or 1 = 2. The result one can achieve with the re ning automaton P is much weaker since it is preempted any time the re ned register h is left. The formula (b0^g) ! F b1 is true for the Argos program Figure 2 but it is not true anymore for the program obtained when Program 2 re nes Program 1 at q0 since g and a could be present in the same instant. If is a formula true for every state in P , the formula one can derive for P is roughly: holds as long as the state h is active. This is formulated below. Proposition 17 Let P = P h P with Out \Out = ;. Let 8G with atomic propositions in R [ O : if P j= 8G then P j= 8G (h ! ( _ F :h)). As an example, using Theorem 16, the property q ^ a ) AX q true for the module Figure 1 is also true when initial state q0 is re ned by the program Figure 2. 1

1

2

1

2

2

1

1

1

1

2

2

2

1

2

2

2

1

2

2

0

1

4 Conclusions This paper presents a translation of Argos programs into Boolean Automata, which shows a clear connection between parallel composition and re nement. Consequences for modular formal veri cation are given. We have used these results to formally verify a time triggered protocol modularly [10]. Our present work relies on the translation scheme for Argos and other synchronous languages as given in [7, 11]. Another translation format exists (see [1]). The work in [9] presents also a translation of Argos into Boolean equations. Further the connection between parallel composition and re nement has also been pointed out in [8] using other arguments. We have restricted our presentation to the case where Argos programs are re ned by other Argos programs, but in general Argos programs can be re ned by other synchronous programs and we think that our veri cation results still apply. In this way, various synchronous languages can be combined to produce one executable reactive program [11]. The veri cation results have been

established for the Statecharts variant Argos, but we believe that they also hold for other Statecharts variants where inter-level transitions are allowed as in [6]. Indeed, the key Theorems 11 and 12 can be generalized to include inter-level transitions. Another future work is to consider sensible classes of safety properties that, when true for the re ning program, yield properties also true for the whole program. Safety properties are very crucial for the veri cation of real time systems. In [3] it has been shown how to translate safety properties expressed as past temporal logic formulas into BAs. As these safety properties are a subset of 8CTL formulas, Proposition 17 could be strengthened and nice classes in terms of re ning programs should exist.

References 1. A. Benveniste. Synchronous languages provide safety in reactive system design. Control Engineering, September 1994. 2. A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. Proceedings of the IEEE, 79(9), 1991. 3. R. Budde and A. Merceron. Verifying a time-triggered protocol in a multi-language environment. In PART'98, pages 45{56. Springer-Verlag, 1998. 4. E. Clarke, O. Grunberg, and D. Long. Veri cation tools for nite-state concurrent systems. In A Decade of Concurrency. REX Symposium 1993, LNCS 803, pages 1{45. Springer-Verlag, 1994. 5. O. Grumberg and D.E. Long. Model checking and modular veri cation. ACM Transactions on Programming Languages and Systems, 16:843{871, 1994. 6. D. Harel. Statecharts: A visual approach to complex systems. Science of Computer Programming, 8:231{275, 1987. 7. M. Kubiczek and L. Holenderski. Compiling TARGOS to boolean automata. Technical report, GMD, Schloss Birlinghoven, D-53754 Sankt Augustin, 1996. 8. F. Maraninchi. Argos: a graphical language for the description of reactive systems. Spectre report 29, LGI, Imag-Campus, BP 53X, F-38041 Grenoble Cedex, 1991. 9. F. Maraninchi and N. Halbwachs. Compiling argos into boolean equations. In FTRTFT'96, LNCS 1135, pages 312{328. Springer-Verlag, 1996. 10. A. Merceron, M. Mullerburg, and G. M. Pinna. Verifying a time-triggered protocol in a multi-language environment. In SAFECOMP98, LNCS 1516, pages 73{82. Springer-Verlag, 1998. 11. A. Poigne, M. Morley, O. Maes, L. Holendersky, and R. Budde. The synchronous approach to designing reactive systems. Formal Methods in System Design, 12:163{ 187, 1998.